Security

Scenario:

• Aruba AOS8 L2-cluster with ASI, external 3rd-party RADIUS servers.

Questions:

1. When will the NAS-IP-ADDRESS be used by the RADIUS server?
2. Will a RADIUS server ever try to send a packet to the NAS-IP-ADDRESS? 

I'm asking specifcally because I'm concerned about my MC's real IP being NAT'd en route to the RADIUS server. The NAT device will of course handle any return traffic to the same source IP, but anything sent to the NAS-IP-ADDRESS will be lost?

Thanks

RFC2865 doesn't mention much, only that it is an attribtute in the Access-Request packet. It doesn't mention if anything will ever be sent to this IP.

https://tools.ietf.org/html/rfc2865#section-5.4

5.4.  NAS-IP-Address

   Description

      This Attribute indicates the identifying IP Address of the NAS
      which is requesting authentication of the user, and SHOULD be
      unique to the NAS within the scope of the RADIUS server. NAS-IP-
      Address is only used in Access-Request packets.  Either NAS-IP-
      Address or NAS-Identifier MUST be present in an Access-Request
      packet.

      Note that NAS-IP-Address MUST NOT be used to select the shared
      secret used to authenticate the request.  The source IP address of
      the Access-Request packet MUST be used to select the shared
      secret.

   A summary of the NAS-IP-Address Attribute format is shown below.  The
   fields are transmitted from left to right.

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |     Type      |    Length     |            Address
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
            Address (cont)         |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

NAS-IP is used for Dynamic Authorization.